New cybersecurity threat could revive legislation

Jared Serbu, DoD reporter, Federal News Radio

A sudden and surprising upswing in malevolent cyber activity has emerged from locations not usually tied to computer attacks against the United States and might prompt lawmakers to take up some form of cybersecurity legislation when it returns for a short post-election lame duck session in late November, the chairman of the House Intelligence Committee said Thursday.

Rep. Mike Rogers (R-Mich.) stopped short of saying there's serious political momentum to resolve the partisan disagreements that have so far blocked any progress on updating the nation's cyber laws, but he said a new kind of cyber threat has emerged in recent days that has sparked renewed concern among lawmakers during classified updates from intelligence agencies.

"It appears to be a new level of threat. I want to be careful about what I say here, but it would target our networks from an unusual source," he said. "It has some very real consequences if we aren't able to deal with it. I think that particular briefing rekindled people's interest in trying to get something done during the lame duck."

Rep. Mike Rogers (R-Mich.)

When pressed for more details on the cyber threat lawmakers are worried about, Rogers wouldn't go much further.

"There are new capabilities coming online every day," he said. "The Chinese are great at stealing information, but you have other nation-states that are just beginning to develop capabilities to do attacks. Our concern is nation-states who are doing just that, beyond the normal group of countries that we often talk about."

Rogers spoke at a day-long cybersecurity forum hosted by the U.S. Chamber of Commerce, a business group that's supported the House Intelligence Committee's cybersecurity bill, the Cybersecurity Intelligence and Sharing Protection Act (CISPA). The corporate clearinghouse lobbied-successfully, so far-against a more comprehensive undertaking proposed by the Senate Homeland Security and Governmental Affairs Committee.

Bipartisan support for a bill

But Rogers argued CISPA is currently the only cybersecurity bill in Congress with bipartisan support. He told the Chamber audience that Congress should pass a bill resembling CISPA in the short lame duck session, then return next year to deal with other cyber issues like securing the nation's privately-owned critical infrastructure.

"We don't have a lot of time. What people don't realize is that we're at war today in cyberspace. It's happening every single day," he said. "This is the biggest national security threat I can think of that we're not prepared to handle today."

CISPA would create a process by which the government's intelligence community would be required to share classified information on cyber threats in real-time with properly-cleared security pros in the private sector.

Rogers told reporters following his Chamber speech that the threat signatures would have to remain in a classified environment, but be housed in a system that could let signs of attacks be exchanged with the private sector within milliseconds.

Gen. Keith Alexander, director of the National Security Agency and the commander of U.S. Cyber Command

"It would be kept offline, off the Internet" he said. "We call it the black box. NSA and other agencies would throw malicious source code into the box, so that you have a remote system for making sure malicious source code can go back and forth in real time. Everything functions the way it does now, just like how McAfee and Norton do it today, except we'll have a forum where we can trade classified information, keep it classified and still protect networks."

Army Gen. Keith Alexander, the director of the National Security Agency and the commander of U.S. Cyber Command, spoke to the same business audience earlier in the day. He didn't discuss the specific upswing in threat activity that Rogers referenced, but he said the national security apparatus is working busily to address worries that cyber attacks will move from just denying access to networks to actual destruction of data, like what happened when electronic intruders erased the hard drives on thousands of computers at Aramco, the Saudi state-owned oil company.

"We are seeing these attacks go on now. We're concerned that they'll morph from disruptive to destructive, like we saw at Aramco. We've got to get out in front of that as a nation," he said. "There's an awful lot of effort going on in the Defense Department, the White House and elsewhere to address those problems, but I can't go into the specifics of those."

Information sharing gained political consensus

Alexander has been cautious not to endorse any particular bill in his public comments, though he has cited the need to go beyond the information sharing provisions in CISPA.

But his comments Thursday appeared to roughly align with Rogers' contention that information sharing between government and industry is the only aspect of the cybersecurity debate that's gained a degree of political consensus so far.

"It's about educating people. Folks on Capitol Hill, both sides, truly see this as a problem and have tremendous interest in solving it," he said. "Now we need to see how we come up with the right solution so that it's not as polarized as it is today. Most people are there on at least the information sharing part. Now we have to take the next step and work together to harden our networks, especially the networks we're going to depend on to defend this country. We've also got to do it in a way that's fiscally acceptable to industry so that they can implement it."

Even if Congress passes a bill resembling CISPA in the lame duck session, enacting it into law would require either changes to the legislation or an about-face from President Obama. The White House warned earlier this year that senior advisors would advise the President to veto the bill because of concerns that personal information on individual citizens could spill into the data exchange between companies and government entities.